I thought hubs were layer 1 devices, and so would have no active role in IPSec. I am reading to understand crypto maps,

Dynamic crypto map policies are used in site-to-site VPNs when an unknown remote peer tries to initiate an IPsec security association with the local hub. The hub cannot be the initiator of the security association negotiation. Dynamic crypto policies allow remote peers to exchange IPsec traffic with a local hub even if the hub does not know the remote peer's identity.

and apparently a hub may know the identity of a peer. If a hub is layer 1 only, how is this possible?

1 Answer
1

I think it's referring to "hub" as the center of a hub-and-spoke VPN architecture, as shown in this diagram.

Later on in the document you linked to, it says:

Dynamic—Dynamic crypto maps can only be used in a hub-and-spoke VPN
topology. Dynamic crypto map policies allow remote peers to exchange
IPsec traffic with a local hub, even if the hub does not know the
remote peer's identity.

Exactly that! Systems connect to other systems/locations by initiating connections via the hub. The 'hub' referred to is likely the main offices. Sites can connect to each other by connecting VPNs via the hub so it's like a hub and spoke combination on a wheel.
–
AndyMacMay 7 '13 at 21:29